We’re excited to announce a new ntopng stable release 6.4, a feature-packed update! With a strong focus on assets visibility and QoE monitoring. This version introduces groundbreaking new dashboards, advanced reporting, better alerting, and a lot of improvements to keep your network monitoring efficient and insightful.
Breakthroughs
-
Asset Inventory & Digital Twin Dashboard
Visualize your infrastructure like never before. The new dashboard provides a clear inventory of network assets with their virtual representations. -
Infrastructure Dashboard
Manage multi-region deployments with a bird’s-eye view of your infrastructure and performance across distributed environments. -
Autonomous Systems Report
Gain deeper insights into AS-level traffic flows and dependencies to optimize your internet routing strategies. -
Quality of Experience (QoE) Indicators
Monitor user experience with new, detailed metrics that reveal network impact on end-user satisfaction. -
Improved SNMPv3 Support
Full support for SHA256, SHA384, SHA512, and AES128 ensures secure, standards-compliant network polling. -
Access Control List (ACL) Alerting
Define ACLs and get alerted on violations, giving you full visibility without enforcing blocks.
Head over toto download the latest version and explore the documentation for detailed upgrade instructions.
Stay tuned for more features and insights! We’re building ntopng to help you stay ahead of the curve in network visibility and security. As always, we welcome your feedback and questions on our community channels or via GitHub.
Changelog
Breakthroughs
- New Asset Inventory / Digital Twin and Assets Dashboard
- New Infrastructure Dashboard to oversee multiple regions
- New Autonomous Systems (AS) report
- New Quality of Experience (QoE) indicators
- Add alert graph to visualize alerts graphically
- Improve SNMPv3 polling and support for SHA256, SHA384, SHA512, and AES128 authentication
- protocols
- Detect network and service scan by inspecting historical data to find slow scans
- Aggregate engaged/historical alerts implementing in-memory tables
- Add access control list (ACL) and alerting (no blocking)
Improvements
- Add DHCP fingerprint support
- Add JA4 client fingerprint
- Add many new custom queries to historical flows
- Add ability to determine when a host has a meaningful IP (IPv4 hosts only)
- Add support for STARTTLS when sending emails (also added a preference)
- Add custom field mapping (nProbe) in historical flows
- Add –geoip-dir `<dir>` for loading GeoIP files from a custom location
- Add preference to selectively enable ClickHouse flow dump
- Add SNMP_MSG_REPORT support
- Add service down check to scan alert
- Add ApexCharts responsiveness
- Add local vs remote traffic report
- Add Redis operations timeseries
- Add support for labels in timeseries
- Add per-minute NetFlow timeseries
- Add active exporters/interfaces count in log when limit exceeded
- Add support for nDPI address cache
- Change MAC serialization key based on mirrored traffic
- Enhance OS detection
- Extend conversation custom query with per-direction packets/bytes
- Extend ZMQ decompression buffer
- Implement NAT detected alert
- Implement nDPI OS hint support
- Implement broadcast domain serialization/deserialization
- Implement alert for anomalous Redis read/write counts
- Implement QUIC RTT calculation
- Implement host OS change detection
- Implement mechanism to retain old-dated collected flows longer
- Improve Dashboard layouts
- Improve Webhook messages and latency
- Improve flow swap euristic
- Improve localhost MAC detection
- Improve flow alerts and add ability to refresh already-triggered alerts
- Improve host MAC address learning
- Improve service detection reliability
- Improve retransmission/out-of-order computation
- Improve formatting of Redis stats
- Improve hostname resolution
- Improve host label formatting (MAC hidden when IP is present)
- Improve formatting for large numbers
- Improve TCP window handling
- Improve host MAC address learning
- Improve host policy check
- Introduce ntopng Guru on Gurubase.io
- Unify Bootstrap table style with custom tables for dark mode
- Rework three-way handshake state detection
- Rework remote throughput collection
- Rework DNS flow direction handling
- Rework RTT calculation
- Optimize drop counters
- Add decoding hardening checks
- Add MDNS buffer length check
- Update MAC address models list
- Update to VueJS 3.5 with reworked observation point ID
- Various active monitoring improvements
- Rework TCP flags handling
- Integrate domain collection code
- Display APN MAC and SSID in historical flows
- Dump WLAN_SSID and WTP_MAC_ADDRESS in historical flows
- Support Linux interface aliases (altnames)
Changes
- Add sticky action column to tables
- Add option to dump pcap flows into ClickHouse
- Add SNMP delete-all button and fixed unresponsive delete button
- Add RTT/Jitter table
- Add Lucide as internal library
- Add recipient stats for all endpoints
- Add Speedtest timeseries
- Add MAC address cache duration preference
- Add remediations for nDPI alerts
- Add license limits page
- Add SNMP data import/export support
- Add MITRE table and alerts view on ClickHouse cluster
- Add manufacturer to historical flows
- Add native sFlow (packet sample only) collector
- Add preference to exclude new interfaces from SNMP usage automatically
- Add L7 (nDPI) JSON collection in Suricata collector
- Extend number of interfaces supported by the view interface
- Show toasts when the flows/hosts limit is exceeded
- Rework DHCP flow key
- Change table styling for dark and white modes
- Disable hourly on unsupported queries
- Add per-direction packets/bytes in historical flows table
- Add LDAP preference to enable extend user capabilities
- Add server/client TCP flags to syslog
- Use SNMP aliases instead of names when available
- Increase ntopng password max length to 128 characters
- Implement ICMP type/code support
- Collect ICMP_TYPE
- Clean SQLite schema (removed problematic backticks, indentation fixes)
- Rework alert serialization and changed alert info format
- Modify nDPI defaults for RTP stream handling
- Merge TCP probing and probing attempt
- Support IPv6 address formatting with brackets
- Use capabilities for enabling SNMP trap collection
- Support enabling/disabling ClickHouse flow dump (alerts always dumped with -F clickhouse)
- Update API version and cleaned up code
- Enable filtering by custom fields sent from nProbe
- Remove JA3 leftovers and unused MIBs
- Remove obsolete TLS suspicious ESNI usage and improved device type guessing
- Remove support for deprecated apcon/VSS timestamps
- Remove packets from in/out traffic (unsupported for hourly)
- Remove obsolete flow serializers
Fixes
- Fix -x/-X option limits (now displayed in About page)
- Fix various issues on historical flow charts
- Fix SNMP page alert
- Fix link button color
- Fix format_utils.round function
- Fix top senders/receivers sorting on timeseries page
- Fix incorrect alerts counter on top of page
- Fix various dark mode style issues
- Fix server types in view interface
- Fix live stats reset on view interface
- Fix ClickHouse health page not found
- Fix JS table crash on missing sort column
- Fix asset link and last seen formatting
- Fix Suricata-DNS alert correlation
- Fix packet stats formatter on interface page
- Fix random crash on interface timeseries page
- Fix various SQL queries
- Fix default date-time values
- Fix suspicious DGA domain alert
- Fix host pool import and duplicate alert suppression
- Fix name display bugs
- Fix incorrect retransmission stats
- Fix host details flow table
- Fix IEC104 REST and added error messages
- Fix Speedtest issues
- Fix Sankey chart overflow
- Fix application editing without proto files
- Fix time label in timeseries
- Fix exporter timeseries for sub-interfaces
- Fix http_prefix missing in some pages
- Fix Modbus alert behavior
- Fix BS5 tooltip stacking
- Fix overlapping address handling in network policy
- Fix early flow expiration with netfilter
- Fix TCP retransmission handling with ZMQ
- Fix incorrect alert scores
- Fix alert score in CustomFlowLuaScript
- Fix flow deallocation with failed/disabled alert
- Fix L7 timeseries direction
- Fix usage calculation error
- Fix InfluxDB top timeseries
- Fix InfluxDB timeseries step issues
- Fix Kafka issues
- Fix missing user agent info in historical flow
- Fix TLS info column in flow logs
- Fix counter overflow
- Fix OPNsense package install
- Fix approximation issues in values
- Fix double probe count in disaggregation
- Fix SMTP/SMTPS STARTSSL handling
- Fix OS rendering
- Fix LDAP extended user capabilities
- Fix InfluxDB local hosts report
nEdge
- Enable Infrastructure Monitoring support
- Support Multicast/Broadcast forwarding policies between restricted/trusted interfaces
- Ignore shaper matching a ‘Not Assigned’ host when peer host matches a user/pool
- Add gateway alert and configuration
- Fix invalid nEdge update handling
- Fix netfilter counters direction
- Fix unexpected Modbus alert behavior
- Remove pools limit from about page and default host pool counter